Kerberos at CSAIL

The CSAIL computing infrastructure uses Kerberos V5 at the core for authentication of many CSAIL services such as public login, ssh, OIDC, and AFS. Each CSAIL user has a CSAIL.MIT.EDU “Kerberos Principal”, which is a strong authentication credential that is built upon cryptographic techniques. By exchanging time-sensitive tickets, you can make transactions secure without sending passwords in plaintext over the network. Think of it as your passport to all of the computing and information services CSAIL has to offer.

How do I setup Kerberos on my client?

How do I change my Kerberos Password?

If you already know your password and want to change it:

Run kpasswd on any TIG-managed CSAIL Ubuntu machine
(For instance, you can ssh to a TIG login server such as
login.csail.mit.edu and run kpasswd there.)
This works from anywhere on the Internet you can reach a
CSAIL Ubuntu machine from.

Mac OS (with CSAIL Kerberos support installed): open Ticket Viewer.app
“Change Password”. (Or you can use
kpasswd from a TIG login server, as described above.)

Windows (with CSAIL Kerberos support installed): right-click Network
Identity Manager (ice cube icon next to clock)
“Change password.” (Or you can use kpasswd from a TIG login
server, as described above.)

If you have forgotten your CSAIL Kerberos Password:

Please come by the TIG area room 32-270 or thereabouts during business hours with a valid photo ID and a system administrator can help you reset it.

CSAIL Kerberos Account Password requirements

Minimum Characters: 8

Minimim Character Classes: 2
(alphanumeric, punctuation, whitespace)

May not contain the username

Passwords do not expire, but will be locked after 16 failed password attempts

What is Kerberos?

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to “sniff” passwords off of the network are in common use by malicious hackers. Thus, applications which send an unencrypted password over the network are extremely vulnerable. Worse yet, other client/server applications rely on the client program to be “honest” about the identity of the user who is using it. Other applications rely on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server.

Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that “the bad guys” are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. (After all, firewalls are simply a less extreme example of the dictum that there is nothing more secure then a computer which is not connected to the network — and powered off!) In many places, these restrictions are simply unrealistic and unacceptable.

Kerberos was created by MIT as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

KERBEROS CREDENTIALS EXPIRE AFTER A WHILE.

This fact is due to a security measure that Kerberos uses to prevent a malicious person from stealing a user’s credentials. Since credentials expire, it helps minimize the window of opportunity that an attacker has to do damage with ill-gotten credentials. The shorter the lifetime of the credentials, the smaller that window of opportunity is. Of course, it also decreases the convenience to the user.

Some people are used to turning on their computer and never having to log in or type passwords, especially Macintosh users. However, in a large computing environment that is constantly being probed for just such a weak link, this is not an available luxury. We’ve struck a middle ground with our Kerberos realm that we think maintains a reasonable balance between security and convenience: we allow users to “renew” their credentials for up to one week. By default, CSAIL Kerberos tickets expire after ten hours, but at any point during that ten hours, a user can renew them for another ten hours; and so on, until seven days have passed.

The nice thing about the Kerberos application on Mac OS X, Network Identity Manager in Microsoft Windows, and other facilities for the CSAIL GNU/Linux distro, is that they can renew your tickets automatically for you. Just keep in mind that the longer you let your credentials hang around, the greater the risk you take that someone can steal your credentials and destroy - or, even worse - steal or subtly alter your files. It’s your choice where you want to be in the continuum of security and convenience.